Schrems II – The return of the GDPR(?)

What may sound a little bit like a title of a wannabe Hollywood movie, created a stir in politics and companies in the US and in the EU alike back in July 2020.

The main actors: The Austrian privacy activist Max Schrems, US tech giant Facebook, specifically its subsidiary Facebook Ireland und the Grand Chamber of the European Court of Justice. [1]

A brief summary of the plot: Max Schrems lodged a complaint against Facebook Ireland for transferring Schrems’ personal data to its headquarters in the US. According to Schrems, this was a violation of the GDPR, as well as EU law. The Court of Justice of the European Union (CJEU) assessed the legal basis for transferring personal data from the EU to the US, the so called “Privacy Shield” principles. Based on the “Privacy Shield” framework EU businesses were able to legally transfer personal data to US-based companies that were listed in the “Privacy Shield” list.

The judgment was devastating in its clarity. The “Privacy Shield” between the US and the EU was declared invalid as of immediate effect. “The Court held that the US does not provide for an essentially equivalent, and therefore sufficient, level of protection as guaranteed by the GDPR and the CFR. The legal bases of US surveillance programmes such as PRISM and UPSTREAM are not limited to what is strictly necessary and would be considered a disproportionate interference with the rights to protection of data and privacy (Article 45(1) GDPR, read in light of Articles 7, 8 and 52(1) CFR), since they do not sufficiently limit the powers conferred upon US authorities and lack actionable rights for EU subjects against US authorities.” [2]

But what does this ruling now mean to a business transferring personal data of EU citizen to the US?

Well, there are still the Standard Contract Clauses (SCCs) which have confirmed valid by the CJEU. But at the same time the Court also “held that SCCs do not, per se, present lawful or unlawful grounds for data transfer (no panacea). The CJEU also stipulates that data controllers or operators that seek to transfer data based on SCCs, must ensure that the data subject is afforded a level of protection essentially equivalent to that guaranteed by the GDPR and CFR – if necessary with additional measures to compensate for lacunae in the protection of third-country legal systems. Failing that, operators must suspend the data transfer.” [2]

So, what measures could that be? US-based companies challenging US federal laws in favor of the EU’s GDPR? This seems very unlikely. And from a technical perspective? Full end-to-end encryption to prevent US-authorities gaining access to the clear text personal data might work but it would render most of the services offered by US-companies unusable as they require typically unencrypted data to properly work. Be it identity and access management systems, map services to even captcha services found on many web sites.

What about if the personal data never leaves the EU and is only processed on European servers of those US-companies? US authorities have a tool that secures them access even in this case: the US CLOUD act. The European Data Protection Supervisor (EDPS) has considered the law in possible conflict with the GDPR. [3]

As a business which relies on services from US-companies you should clearly assess the associated risks. Wait and see might not be the proper strategy here as penalties for GDPR violations can be severe for a business.

Specifically for small and medium sized companies those fees can be an enormous business risk. Thus, knowing which services an organization relies on is extremely important. This will help an organization to evaluate for which of these services exist alternatives which are not subject to above disputes. Therefore, decreasing the risk step by step or not increasing the dependencies even more when considering new service offerings.

Wait and ignore until politics deliver a solution is not an option here.

I am glad you made it to this point in the article. While the topic might be considered a bit boring, it is an important one, nevertheless. A topic that will even gain in importance for businesses in the future.